Sony Announces Settlement In Data Breach Lawsuit

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/sony-announces-settlement-in-data-66676/

Lawyers for former employees of Sony Pictures Entertainment (“SPE”)
indicated in a September 2, 2015 filing that they have tentatively reached
a settlement with SPE in the class action suit resulting from the data
breach allegedly perpetrated by North Korean hackers in retaliation for
SPE’s making and release of the movie “The Interview.”  The proposed
settlement heads off a trial that was slated for February 2016.  Terms of
the settlement will not be known until October 19, 2015, when formal
documentation of the settlement is due to the federal district court in Los
Angeles.  The court will then be responsible for approving the settlement.

At issue were plaintiffs’ claims that the data breach divulged highly
sensitive employee personally identifiable information (“PII”) such as
names, addresses, birth dates, Social Security numbers, visa and passport
numbers, tax records, payroll information, and criminal background checks.
SPE responded in court filings that despite the divulgence of the sensitive
information, plaintiffs hypothesized harms have largely failed to occur.
SPE also argued that plaintiffs’ pervasive sharing of their personal
information on social media and other forums would make it difficult, if
not impossible, to determine whether any harm was the result of the SPE
data breach.

It will be interesting to see how the SPE settlement compares to other
notable data breach settlements.    As one example, most settlements to
date have involved relativity small payout per class member, which
commentators believe is a reflection of the fact that most consumers are
not required to pay for fraudulent charges, retailers often provide free
credit monitoring services, and few consumers suffer catastrophic harms.
These settlements underscore how important it is for a company to disclose
breaches early and provide free credit monitoring services to employees to
mitigate any risk of credit impairment or identity theft.  The SPE data
breach, however, appears to have involved a much greater array of PII than
in other high-profile data breaches.  It remains to be seen if the scope of
PII disclosed results in a larger settlement amount despite the apparent
lack of significant harm to the SPE plaintiffs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!